Skip to main content

Okta Integration

 

Eptura Knowledge Center

Okta Integration

  1. Last updated
  2. Save as PDF

Customer IT / SpaceIQ Onboarding Team

SpaceIQ (SiQ) supports integration with Okta and this article details how to configure the Okta provisioning integration for SiQ.

The following Okta integration features are supported:

  • Push New Users - New users created through Okta will also be created in the SiQ application.
  • Push Profile Updates - Updates made to a user's profile through Okta will be pushed to the SiQ application.
  • Push User Deactivation
    • Deactivation means the removal of all a user's data and deleting the user's account.
    • Deactivating the user or disabling the user's access to the application through Okta will delete the user in the SiQ application.

It is not possible to pull users or profile updates within SiQ from Okta. They must be pushed.

Prerequisites

Before you configure SCIM-based provisioning for SiQ, make sure you have configured, enabled, and verified SAML support between your Okta implementation and SiQ. 

You will need Okta admin privileges to complete this integration and for the SiQ setup, you must have a SiQ Admin or an IT role.

Integration Activities

Step 1. Activate the Okta Integration in SiQ

From the SiQ Web App, complete the following:

  1. Click your Profile Name in the top right corner.
  2. Click Settings. The Settings screen displays.
  3. From the left menu, click Integrations.
  4. From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.

You can either search for Okta in the Search field or navigate to Okta tile. To navigate complete the following:

  1. From the left menu, click Provisioning & SSO.
  2. For Okta, click the Activate button.

The Okta dialog displays and it contains a Provisioning tab and an SSO tab.

Provisioning Tab

This is where the SCIM Bearer Token is found, refer below for this setup.

siq_provisioning_tab.png

SSO Tab

This is where the SSO integration is set up, refer below for this setup.

siq_sso_tab.png

Step 2. Add a new SiQ app into Okta

Okta distinguishes between an application and the instances of that application. Within Okta, an app admin can be granted access to all instances of an app, or just specific instances of that application.

You must be an admin within Okta in order to provision the SiQ integration. 

The screenshots below are from the Admin Dashboard (Classic UI).

Complete the following in Okta:

  1. From the menu, click Applications. The Admin Dashboard (Classic UI) displays.
  2. Click the Add Applications button. The Add Application screen displays.

okta_activity2.png

  1. In the Search field, enter SiQ.
  2. Click Okta's SiQ app. The SiQ app displays.

okta_activity3.png

  1. Click the Add button.

Optional - In the Application label field, enter a descriptive label or name for your SiQ application within Okta and update your visibility settings. 

okta_activity4.png

  1. Click the Done button.

okta_activity5.png

Step 3. Set up the SiQ app Sign On Details

From Okta’s SiQ app, you will copy the Sign On details from Okta into your SiQ Web App.

  1. Click the Sign On tab.

okta_activity6.png

  1. Click the View Setup Instructions button. This displays the online instructions which tell you what to do.
  2. Scroll down Okta's instructions to step 5 and this lists the following:
    • SAML Identity Provider
    • X.509 Certificate
    • Okta Portal URL

okta_activity7.png

Step 3.1 Copy and paste the SAML Identify Provider Issuer

From the Okta instructions, complete the following:

  1. From the SAML Identify Provider Issuer field, copy the URL.

okta_saml_identfiy_provider_issuer.png

Return to your SiQ Web App and complete the following:

  1. From the SSO tab, in the SAML Identify Provider Issuer field, paste in the URL.

siq_saml_identfiy_provider_issuer.png

Step 3.2 Copy and paste the X.509 Certificate

Return to the Okta instructions and complete the following:

  1. From the X.508 Certificate field, copy the certificate.

Make sure that you include the ---- BEGIN CERTIFICATE ---- and the ---- END CERTIFICATE ---- in the copy as this is part of the certificate.

 okta_x509_certifcate.png

In your SiQ Web App, complete the following:

  1. In the X.509 Certificate field, paste in the certificate.

siq_x509_certificate.png

  1. Click the Activate button.

Step 3.3 Copy and paste the SAML Callback Endpoint URL

The Okta Integration displays in the active integration list.

siq_otka_integration_listed.png

  1. Click the Okta Integration. The Okta dialog displays.
  2. Click the SSO tab.

The SAML Callback Endpoint URL is now generated.

siq_saml_callback_endpoint_url.png

  1. Click the Copy copy_icon.png icon.

Return to Okta’s Sign On tab.

okta_activity6-1.png

  1. Click the Edit button and then scroll down.

okta_saml_callback_endpoint_url.png

  1. In the SAML CallBack Endpoint URL field, paste in the URL.

Step 3.4 Copy and paste the Audience URL

  1. Return to SiQ and complete the following:

siq_saml_callback_endpoint_url-1.png

  1. For the SAML Audience URL field, click the Copy copy_icon-1.png icon.
  2. Return to Okta’s Sign On tab.

okta_saml_audience_uri.png

  1. In the SAML Audience URI field, past in the URI.

Step 3.5 Set the Credential Details

From Okta’s Sign On tab, complete the following:

  1. From the Application username format select Email.
  2. Click the Save button.

okta_credentials.png

Step 4. Set up Provisioning with the SCIM Bearer Token

From SiQ, complete the following:

  1. Click your Profile Name in the top right corner.
  2. Click Settings. The Settings screen displays.
  3. From the left menu, click Integrations.
  4. From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.
  5. In the Search field, enter Okta. The Okta dialog displays.

siq_provisioning_tab-1.png

  1. For the SCIM Bearer Token, click the Copy copy_icon-2.png icon to copy the token and paste it to a secure temporary location as you will use this to configure Okta’s SiQ instance.
  2. Click the Okta’s Activate.

From Okta, complete the following:

  1. Click the Provisioning tab.

okta_provisioning1.png

  1. Click the Configure API Integration button.
  2. Tick the Enable API Integration check box.

okta_provisioning2.png

  1. In the API Token field, paste in the SCIM Bearer Token.
  2. Click the Test API Credentials button to make sure the credentials work.
  3. Click the Save button.

Next, enable the Okta Action Items.

Step 5. Enable the Okta Action Items

You will need to enable the Create Users, Update User Attributes, and Deactivate Users.

From Okta's To App screen, complete the following:

  1. Click the Edit button.

okta_provisioning3.png

  1. Check the Enable check box for the Create Users, Update User Attributes, and Deactivate Users.

okta_provisioning4.png

  1. Click the Save button.

Step 6. Assign People or Groups to the SiQ App

You can assign the people or groups within your Okta organization.

From Okta, complete the following:

  1. Click the Assignments tab.
  2. Click the Assign button.
  3. Select either Assign to People or Assign to Groups.

okta_assign.png

After you have assigned people or groups then your users can log in to the SiQ Web App.

Logout Redirect

When a user logs out of the SiQ Web App, they can be redirected back to the user's home page. To configure the logout redirect, an administrator must configure the domain URL in the SSO configuration property with the value to the user's home page.

From the SiQ Web App's Okta Integration, complete the following:

  1. Click the SSO tab.

redirect_okta_portal.png

  1. In the Okta Portal URL field, enter the URL.

Example:

https://<yoursubdomain>.okta.com/app/UserHome

  1. Click the Save button.

SiQ Login Flow (SP-initiated Login)

SiQ also supports login SSO authentication initiated from inside the SiQ Web App. The operation typically occurs when a user lands on the SiQ Web App without signing into the application first.

In order to configure SP initiated login an admin must set the redirect URL to Okta portal.   

Step 1. Copy either the Embedded Link or the URL in the Identity Provider Metadata from Okta

The URL can be obtained from two different sources:

  • Embedded Link
  • Identity Provider Metadata Location

Embedded Link

From Okta, complete the following:

  1. Click the Applications menu.
  2. In the Search field, search for the SiQ app.
  3. Click the SiQ app to open it.

The SiQ App screen displays.

  1. Click the General tab.
  2. Scroll down to the screen to the App Embed area.

embedded_link1.png

  1. Copy the Embed Link URL.

Go to Step2 below.

Identity Provider Metadata

In order to obtain location URL from metadata, an Okta admin should again log in and

From Okta, complete the following:

  1. Click the Applications menu.
  2. In the Search field, search for the SiQ app.
  3. Click the SiQ app to open it.

The SiQ App screen displays.

  1. Click the Sign On tab.
  2. Scroll down to the Identity Provider Metadata area.

embedded_link2.png

  1. Click the Identity Provider link to display the XML metadata.
  2. Locate the URL, look for the line that has SingleSignOnService, with an HTTP-POST method.

HTTP-POST-Line.jpg

  1. Copy the URL.

Go to Step2 below.

Step 2. Paste in the URL into SiQ's Okta Integration

From the SiQ Web App's Okta Integration, complete the following:

  1. Click the SSO tab.
  2. In the SSO Redirect URL field, paste in the URL

siq_sso_redirect_url.png

  1. Click the Activate button.

Attribute Mappings from SiQ to Okta User Profile

As shown in the Okta Universal Directory (UD) Profile Editor, the base profile that Okta imports from SiQ consist of 20+ attributes. Some of these attributes are mapped to the Okta user profile by default.

Custom Attributes

Okta's SiQ application has been enhanced to support user-defined custom attributes, which enables Okta to import more than 20 attributes to SiQ.

These attributes must be created and mapped manually in Okta and then define the Custom Field Name mappings in the SiQ app. The recommended mappings from SiQ to Okta are preconfigured in SiQ's base profile. See Okta Custom Attribute Mapping.

Troubleshooting Tips

Users without a First Name, Last Name, or Department in their SiQ profiles cannot be imported to Okta as new users.

In the event that a department also has teams (sub-departments), SiQ expects Organizations/Divisions that contain top-level organization and department details to also contain the Team Name. For example:

Organization: Engineering with Department: QA

 See Okta Custom Attribute Mapping.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Segment
    SiQ
  2. Tags
    This page has no tags.